Can I use a token with ArcGIS API for Python?

DavidAskov1 · ‎01-23-2018

I'm interested in using the ArcGIS API for Python to connect to an ArcGIS Online for Organizations account via a token, and not a username/password. All the examples I have found look like this:

from arcgis.gis import GIS
gis = GIS("portal url", "username", "password")

How would I pass a token into this API, instead of username/password?

In case it matters, I want to connect to ArcGIS Online for Organizations, so my user name is <user>_<org_suffix>. My organization does not use an Enterprise Login, so I just log in directly at the Esri site.

Bonus question: I know how to generate the token with Python and the REST API (using JSON). Any idea how to do so with the ArcGIS API for Python?

thanks, David

DavidAskov1 · ‎09-12-2018

No, not in the Python API. It sounds like it intentionally abstracts it for you. Note that if you put in a bad user/pass combination, the error will say it was unable to generate a token.

You might be able to open the wheel file and figure out how they do it, but that might violate the EULA, but more importantly, you'd be maintaining your own code, which defeats the purpose of using an API that's supposed to do basic stuff like this for you. Kelly posted some links on how to do it with the REST API, which you could easily automate with Python.

I just went with creating a "profile" in the GIS() constructor. It leaves your user/pass sitting around on a server, so you just want to make sure that is appropriately locked down. Since the tokens only last two weeks, I would probably automate a solution to create a new one. I was thinking I might run that on my PC and FTP it over to the server. In the end, that seems too fragile to depend on a desktop machine, so automation would send me back to having my username and password sitting around on a server. With all paths leading to my user/pass sitting on a server, I didn't perceive that there was any benefit to pursuing this further... I wish we could create a longer length token, like you can with ArcGIS Server (up to one year).

GeofyAdmin · ‎09-12-2018

Actually David and all, this has already been resolved starting with ArcGIS for Python version 1.4. Make sure you have updated to this or latest 1.5 version.

The GIS class has been extended to take a token as part of the kwargs optional keyword arguments.

arcgis.gis module — arcgis 1.5.0 documentation

Code below assumes connecting to arcgis.com and uses a token (it will also connect to your organizational account in agol).

AGOLConnection = GIS(token=agolToken)

if you wanted to connect to your own portal then provide the url parameter.

This is resolve now.

DavidAskov1 · ‎09-12-2018

Geofy Admin‌ - Thanks for the info. Glad to hear they're listening to our forum posts! I am using an earlier version, so will look to upgrade the next time I re-open this project.

The docs say this is only for built-in security - does that mean this is not available when using enterprise logins?

GeofyAdmin · ‎09-12-2018

Hi David,

Regarding your question about support for Enterprise Logins (i.e. enterprise identity stores served through LDAP providers like AD or SAML providers like ADFS), I think when those are used, token authentication does not happen between the client application and the Portal but between the proxy and the Portal.

Don’t get me wrong, the Portal only understands ‘tokeneze’ language when authenticating requests to secure items, however in the configuration above (just like when you use a web adaptor and IWA with ArcGIS Server), the proxy in front of your app (i.e. Web Adaptor) establishes the connection with the Portal using tokens while your user is authenticated at the proxy level say using IWA (this is also known as web tier authentication). So client app requests secure Portal content using the Web Adaptor URL, passing the user principal from AD. The WA authenticates with AD, then proxies the request to the Portal URL (switching port to 7443 and appending the admin token). No token is issued to your client.

Long story short, for Enterprise Logins your python app does not need to pass a token or a user + pass. If things are configured correctly (i.e. Single Sign On works), the only thing needed is the URL parameter like this:

myGIS = GIS(url=‘myPortal.com/home’)

Hope that made sense.

In any case, with these things verify first, trust later.

...yes Esri listened this once. Also, they are soon going to allow creating admin connections from Pro to AGS which is not currently possible and is a slap in the face for all customers that bought core-based AGS licenses. Progress of a kind.

GeofyAdmin · ‎09-12-2018

...and last note: Esri’s documentation makes it look like there is either built in or enterprise identity stores in Portal. In fact built in is always present. You can continue to keep a mix of users from each store (not much sense from a business perspective but technically possible). Built in users need to connect directly to Portal on port 7443 while enterprise users should go through the web adaptor for SSO.

Frankly Portal can pull users from three locations: built in, LDAP or SAML stores. All three can be operational at the same time.

Anonymous User · ‎01-20-2020

Use this one

Obtaining a client idhttps://developers.arcgis.com/python/guide/working-with-different-authentication-schemes/#Obtaining-...

The steps below show how a client id can be obtained by registering a new application with your GIS. Only one client id is required, so if your GIS has one already, you may use it instead of creating a new application.

Log into your web GIS (ArcGIS Online organization or ArcGIS Enterprise)
Go to Content tab
Click '+ Add Item > An Application' menu
Add an application:
- Type: Application
- Title: Python
- Tags: python
On the Item details page of this newly created application, navigate to Settings tab
Click the Registered Info button. It's towards the bottom of the page.
This will dispaly an App ID. This is your client id and needs to be passed in as the client_id parameter when construcing a GIS object. You need this in your Python code to log in.

You can then log on to your org using the Python API using the code shown below:

This uses interactive sign-in experience: you would be redirected to your organization's sign in page using the configured identity provider. Upon signing in, you would get a code, that you can paste back to complete the sign in process:

gis = GIS("https://python.playground.esri.com/portal", username="arcgis_python", password="amazing_arcgis_123",          client_id='f8cRxbP3NO8bf9ag')print("Successfully logged in as: " + gis.properties.user.username)

Working with different authentication schemes | ArcGIS for Developers